Internet Disconnected Devices Vulnerable Thanks to NAT Slipstreaming
Devices that are disconnected from the Internet are now vulnerable thanks to a new version of a known NAT slipstreaming attack. This would allow remote attackers to reach multiple internal devices, even if they are not connected to the internet. Attackers can execute this attack by convincing an Internet connected target to click on a malicious link. From there, hackers can gain access to other, non-exposed endpoints, including some unmanaged devices like industrial controllers, with no further social engineering required.
In the original NAT slipstreaming attack, discovered last November, an attacker persuades a victim to visit a specially crafted website. A victim within an internal network that clicks on it is then taken to an attacker’s website. The website in turn will fool the victim network’s NAT into opening an incoming path (of either a TCP or UDP port) from the internet to the victim device.
To launch an attack, the victim’s device must also have an Application-Level Gateway (ALG) connection-tracking mechanism enabled, which is usually built into NATs. NAT slipstreaming exploits the user’s browser in conjunction with ALG. In the attack, when a victim device visits an attacker-controlled website, JavaScript code running in the victim’s browser sends out additional traffic to the attacker’s server, which traverses through the network’s NAT/firewall.
In this newly discovered variant, the attackers can fool the NAT in such a way that it will create incoming paths to any devices on the internal network, not only to the victim device that engaged with the malicious link. Researchers gave the example of an office printer that can be controlled through its default printing protocol, or through its internal web server. Using NAT slipstreaming, an attacker could knock it offline or cause it to print arbitrary documents. Depending on the printer’s features, cybercriminals could also access stored documents.
The researchers added that to carry those types of actions out, the newly exposed interface would itself need to be insecure, as is the case for other targets. Thus, once attackers form a web connection to the target, they would then need to access that target. Many unmanaged devices not connected to the internet don’t require passwords, researchers noted, or often remain unpatched.
Like the original attack, the new version has been mitigated with browser patches, for Chrome, Safari, Firefox, and Edge. Chromium is tracking the new variant via CVE-2020-16043, while Firefox is tracking it via CVE-2021-23961. The updates are Chrome v87.0.4280.141, Firefox v85.0 and Safari v14.0.3, and Microsoft’s Edge browser is also now patched since it relies on the Chromium source code.
Further Reading: